search

gbv / login-server

Login and connect accounts with multiple identity providers
https://coli-conc.gbv.de/login/
MIT License
31 stars 32 forks source link

Reword help about data sharing #73

Closed nichtich closed 3 years ago

nichtich commented 3 years ago

Make clear the data is shared with selected applications and link to /sessions for more information (should be done with #72).

stefandesu commented 3 years ago

Looks good. I'll take a stab at #70 and #72 and we can merge it together.

Edit: I'd suggest to put this all into 0.4.0. Also, all these changes should be sufficient to close #27 and #66 as well.

stefandesu commented 3 years ago

One issue with this new wording is that it sounds like the data is only made available for those applications listed under /sessions. But more than one application can use the same session if they are in the same browser, and only the application that initiated the login will be shown in the list. I would suggest listing the "selected applications" somewhere (on the top of /sessions?).

stefandesu commented 3 years ago

One important piece of information that was missing is that, for some providers, access tokens are saved (and provided to applications) as well. For example, we need the OAuth token and token secret for Wikidata to be able to gain write access.

In case of OAuth, this isn't an issue since they can only be used in combination with an (if I understand correctly, your unique) application token. However, in the easydb integration, the token is also saved since there are plans to use this integration read/write in easydb as well. Those are not application-specific and could, in theory, be abused. (However, I will research if this is actually the case, and even if it is, we only provide access to trusted applications, so it shouldn't be an issue, right?)

Edit regarding easydb: Authenticated session tokens will expire after some (undefined) amount of time. So yes, this token can probably be used to access the easydb instance - that's why we're saving it.

nichtich commented 3 years ago

I would suggest listing the "selected applications" somewhere (on the top of /sessions?).

Yes. Or show the application list as part of /help.

stefandesu commented 3 years ago

I made some adjustments (especially related to #72) and I think this is ready to be merged. @nichtich, can you take on last look at the changes?

stefandesu commented 3 years ago

I merge it into dev already, but I'd still like to have @nichtich look through before we release the new version.